<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.1.1">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">
  <meta name="google-site-verification" content="T1Dbmn0YmNZwwxNqq98b7FvVCsxbeIChYP6H75TZjdk">
  <meta name="baidu-site-verification" content="code-86L5xW0tJy">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.14.0/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css">

<script class="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"www.whatsblockchain.com","root":"/","scheme":"Gemini","version":"8.0.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12},"copycode":false,"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"}};
  </script>

  <meta name="description" content="事件回顾4月25日早间，火币Pro公告，SMT项目方反馈今日凌晨发现其交易存在异常问题，经初步排查，SMT的以太坊智能合约存在漏洞。火币Pro也同期检测到TXID为https:&#x2F;&#x2F;etherscan.io&#x2F;tx&#x2F;0x0775e55c402281e8ff24cf37d6f2079bf2a768cf7254593287b5f8a0f621fb83的异常。受此影响，火币Pro现决定暂停所有币种的充提币业">
<meta property="og:type" content="article">
<meta property="og:title" content="暂停交易？ERC20合约整数溢出安全漏洞案例技术分析（一）">
<meta property="og:url" content="https://www.whatsblockchain.com/posts/7664e5f1.html">
<meta property="og:site_name" content="区块链大杂烩">
<meta property="og:description" content="事件回顾4月25日早间，火币Pro公告，SMT项目方反馈今日凌晨发现其交易存在异常问题，经初步排查，SMT的以太坊智能合约存在漏洞。火币Pro也同期检测到TXID为https:&#x2F;&#x2F;etherscan.io&#x2F;tx&#x2F;0x0775e55c402281e8ff24cf37d6f2079bf2a768cf7254593287b5f8a0f621fb83的异常。受此影响，火币Pro现决定暂停所有币种的充提币业">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://www.whatsblockchain.com/assets/2018-05-01/news.jpg">
<meta property="og:image" content="https://www.whatsblockchain.com/assets/2018-05-01/news-2.jpg">
<meta property="og:image" content="https://www.whatsblockchain.com/assets/2018-05-01/pic1.jpg">
<meta property="og:image" content="https://www.whatsblockchain.com/assets/2018-05-01/pic2.jpg">
<meta property="article:published_time" content="2018-04-30T16:00:00.000Z">
<meta property="article:modified_time" content="2020-09-16T06:55:42.810Z">
<meta property="article:author" content="吴寿鹤">
<meta property="article:tag" content="智能合约">
<meta property="article:tag" content="以太坊">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://www.whatsblockchain.com/assets/2018-05-01/news.jpg">


<link rel="canonical" href="https://www.whatsblockchain.com/posts/7664e5f1.html">


<script class="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>暂停交易？ERC20合约整数溢出安全漏洞案例技术分析（一） | 区块链大杂烩</title>
  
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-145440251-1"></script>
    <script>
      if (CONFIG.hostname === location.hostname) {
        window.dataLayer = window.dataLayer || [];
        function gtag(){dataLayer.push(arguments);}
        gtag('js', new Date());
        gtag('config', 'UA-145440251-1');
      }
    </script>


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9af0452214522472f44968f5a652e2f0";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  body { margin-top: 2rem; }

  .use-motion .menu-item,
  .use-motion .sidebar,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header {
    visibility: visible;
  }

  .use-motion .header,
  .use-motion .site-brand-container .toggle,
  .use-motion .footer { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle,
  .use-motion .custom-logo-image {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line {
    transform: scaleX(1);
  }

  .search-pop-overlay, .sidebar-nav { display: none; }
  .sidebar-panel { display: block; }
  </style>
</noscript>

<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --></head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <h1 class="site-title">区块链大杂烩</h1>
      <i class="logo-line"></i>
    </a>
      <p class="site-subtitle" itemprop="description">你想要的这里都有</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
  </ul>
</nav>




</div>
        
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>

  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <section class="post-toc-wrap sidebar-panel">
          <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BA%8B%E4%BB%B6%E5%9B%9E%E9%A1%BE"><span class="nav-number">1.</span> <span class="nav-text">事件回顾</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90"><span class="nav-number">2.</span> <span class="nav-text">漏洞分析</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%95%B4%E6%95%B0%E6%BA%A2%E5%87%BA"><span class="nav-number">3.</span> <span class="nav-text">整数溢出</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#SMT%E5%90%88%E7%BA%A6%E4%B8%AD%E7%9A%84%E6%95%B4%E6%95%B0%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98%E7%AE%80%E6%9E%90"><span class="nav-number">4.</span> <span class="nav-text">SMT合约中的整数安全问题简析</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%85%B6%E4%B8%AD%E7%9A%84%E9%97%AE%E9%A2%98%E5%88%86%E6%9E%90%E5%A6%82%E4%B8%8B"><span class="nav-number">4.1.</span> <span class="nav-text">其中的问题分析如下</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E4%BD%9C%E8%80%85%E4%BF%AE%E6%94%B9%E5%90%8E%E7%9A%84%E4%BB%A3%E7%A0%81%E5%A6%82%E4%B8%8B"><span class="nav-number">4.2.</span> <span class="nav-text">作者修改后的代码如下</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%94%BB%E5%87%BB%E8%80%85%E5%8F%91%E9%80%81%E7%9A%84%E4%BA%A4%E6%98%93"><span class="nav-number">4.3.</span> <span class="nav-text">攻击者发送的交易</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#BEC%E5%90%88%E7%BA%A6%E4%B8%AD%E7%9A%84%E6%95%B4%E6%95%B0%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98%E7%AE%80%E6%9E%90"><span class="nav-number">5.</span> <span class="nav-text">BEC合约中的整数安全问题简析</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%85%B6%E4%B8%AD%E9%97%AE%E9%A2%98%E4%BB%A3%E7%A0%81%E5%88%86%E6%9E%90%E5%A6%82%E4%B8%8B"><span class="nav-number">5.1.</span> <span class="nav-text">其中问题代码分析如下</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%94%BB%E5%87%BB%E8%80%85%E5%8F%91%E9%80%81%E7%9A%84%E4%BA%A4%E6%98%93-1"><span class="nav-number">5.2.</span> <span class="nav-text">攻击者发送的交易</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%90%88%E7%BA%A6%E6%95%B4%E6%95%B0%E6%BC%8F%E6%B4%9E%E4%BA%8B%E4%BB%B6%E6%80%BB%E7%BB%93"><span class="nav-number">6.</span> <span class="nav-text">合约整数漏洞事件总结</span></a></li></ol></div>
      </section>
      <!--/noindex-->

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">吴寿鹤</p>
  <div class="site-description" itemprop="description">代码之美，在于架构，架构之美，在于抽象</div>
</div>
<div class="site-state-wrap animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">21</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">7</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">11</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



      </section>
    </div>
  </aside>
  <div class="sidebar-dimmer"></div>


    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


    <div class="main-inner post posts-expand">
      

      

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://www.whatsblockchain.com/posts/7664e5f1.html">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="吴寿鹤">
      <meta itemprop="description" content="代码之美，在于架构，架构之美，在于抽象">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="区块链大杂烩">
    </span>

    
    
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          暂停交易？ERC20合约整数溢出安全漏洞案例技术分析（一）
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>

      <time title="创建时间：2018-05-01 00:00:00" itemprop="dateCreated datePublished" datetime="2018-05-01T00:00:00+08:00">2018-05-01</time>
    </span>
      <span class="post-meta-item">
        <span class="post-meta-item-icon">
          <i class="far fa-calendar-check"></i>
        </span>
        <span class="post-meta-item-text">更新于</span>
        <time title="修改时间：2020-09-16 14:55:42" itemprop="dateModified" datetime="2020-09-16T14:55:42+08:00">2020-09-16</time>
      </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-folder"></i>
      </span>
      <span class="post-meta-item-text">分类于</span>
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/categories/%E6%99%BA%E8%83%BD%E5%90%88%E7%BA%A6/" itemprop="url" rel="index"><span itemprop="name">智能合约</span></a>
        </span>
    </span>

  
    <span class="post-meta-item" title="阅读次数" id="busuanzi_container_page_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="far fa-eye"></i>
      </span>
      <span class="post-meta-item-text">阅读次数：</span>
      <span id="busuanzi_value_page_pv"></span>
    </span>
      </div>
      <div class="post-meta">
    <span class="post-meta-item" title="本文字数">
      <span class="post-meta-item-icon">
        <i class="far fa-file-word"></i>
      </span>
      <span class="post-meta-item-text">本文字数：</span>
      <span>6.7k</span>
    </span>
    <span class="post-meta-item" title="阅读时长">
      <span class="post-meta-item-icon">
        <i class="far fa-clock"></i>
      </span>
      <span class="post-meta-item-text">阅读时长 &asymp;</span>
      <span>6 分钟</span>
    </span>
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <h2 id="事件回顾"><a href="#事件回顾" class="headerlink" title="事件回顾"></a>事件回顾</h2><p>4月25日早间，火币Pro公告，SMT项目方反馈今日凌晨发现其交易存在异常问题，经初步排查，SMT的以太坊智能合约存在漏洞。火币Pro也同期检测到TXID为<a target="_blank" rel="noopener" href="https://etherscan.io/tx/0x0775e55c402281e8ff24cf37d6f2079bf2a768cf7254593287b5f8a0f621fb83">https://etherscan.io/tx/0x0775e55c402281e8ff24cf37d6f2079bf2a768cf7254593287b5f8a0f621fb83</a>的异常。受此影响，火币Pro现决定暂停所有币种的充提币业务，随后，火币Pro又发布公告称暂停SMT/USDT、SMT/BTC和SMT/ETH的交易。此外，OKEx，gate.io等交易平台也已经暂停了SMT的充提和交易。截止暂停交易，SMT在火币Pro的价格下跌近20%。</p>
<a id="more"></a>
<p><img src="/assets/2018-05-01/news.jpg" alt="img"></p>
<p><img src="/assets/2018-05-01/news-2.jpg" alt="img"></p>
<p>该漏洞代理的直接经济损失高达上亿元人民币，间接产生的负面影响目前无法估量。这到底是怎样一个漏洞呢？下面将详细分析该漏洞的产生和解决方案。</p>
<h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>SMT与前几天爆出的美图BEC代币都出现类似的安全漏洞—整数溢出，那么什么是整数溢出，整数溢出出现的原因是什么，怎样才能避免整数溢出呢？接下来我们带着这些问题来看下面的内容。</p>
<h2 id="整数溢出"><a href="#整数溢出" class="headerlink" title="整数溢出"></a>整数溢出</h2><p>整数溢出分向上溢出和向下溢出，有关智能合约安全的其他关键点作者在《区块链开发实战——以太坊关键技术与案例分析》中有详细介绍，以下是截取本书中关于整数溢出的部分，通过下面文字的阅读大家就可以对：什么是整数溢出，整数溢出出现的原因是什么，怎样才能避免整数溢出呢？这三个问题有个答案了。</p>
<p>以下文字截取于《区块链开发实战——以太坊关键技术与案例分析》</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">pragma solidity ^<span class="number">0.4</span><span class="number">.10</span>;</span><br><span class="line"></span><br><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment">这是一个测试整数类型上溢和下溢的例子</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">contract Test&#123;</span><br><span class="line"></span><br><span class="line">  <span class="comment">// 整数上溢</span></span><br><span class="line">  <span class="comment">//如果uint8 类型的变量达到了它的最大值(255)，如果在加上一个大于0的值便会变成0</span></span><br><span class="line">  <span class="function"><span class="keyword">function</span> <span class="title">test</span>(<span class="params"></span>) <span class="title">returns</span>(<span class="params">uint8</span>)</span>&#123;</span><br><span class="line">    uint8 a = <span class="number">255</span>;</span><br><span class="line">    uint8 b = <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> a+b;<span class="comment">// return 0</span></span><br><span class="line">  &#125;</span><br><span class="line"></span><br><span class="line">  <span class="comment">//整数下溢</span></span><br><span class="line">  <span class="comment">//如果uint8 类型的变量达到了它的最小值(0)，如果在减去一个小于0的值便会变成255(uin8 类型的最大值)</span></span><br><span class="line">  <span class="function"><span class="keyword">function</span> <span class="title">test_1</span>(<span class="params"></span>) <span class="title">returns</span>(<span class="params">uint8</span>)</span>&#123;</span><br><span class="line">    uint8 a = <span class="number">0</span>;</span><br><span class="line">    uint8 b = <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> a-b;<span class="comment">// return 255</span></span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>有了上面的理论基础，我们在看一个转账的例子，看在我们的合约中应该如何避免不安全的代码出现：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 存储用户余额信息</span></span><br><span class="line">mapping (<span class="function"><span class="params">address</span> =&gt;</span> uint256) public balanceOf;</span><br><span class="line"></span><br><span class="line"><span class="comment">// 不安全的代码</span></span><br><span class="line"><span class="comment">// 函数功能：转账，这里没有做整数溢出检查</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">transfer</span>(<span class="params">address _to, uint256 _value</span>) </span>&#123;</span><br><span class="line">    <span class="comment">/* 检查发送者是否有足够的余额*/</span></span><br><span class="line">    <span class="keyword">if</span> (balanceOf[msg.sender] &lt; _value)</span><br><span class="line">        <span class="keyword">throw</span>;</span><br><span class="line">    <span class="comment">/*  修改发送者和接受者的余额 */</span></span><br><span class="line">    balanceOf[msg.sender] -= _value;</span><br><span class="line">    balanceOf[_to] += _value;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">// 安全代码</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">transfer</span>(<span class="params">address _to, uint256 _value</span>) </span>&#123;</span><br><span class="line">    <span class="comment">/* 检查发送者是否有足够的余额，同时做溢出检查：balanceOf[_to] + _value &lt; balanceOf[_to] */</span></span><br><span class="line">    <span class="keyword">if</span> (balanceOf[msg.sender] &lt; _value || balanceOf[_to] + _value &lt; balanceOf[_to])</span><br><span class="line">        <span class="keyword">throw</span>;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* 修改发送者和接受者的余额 */</span></span><br><span class="line">    balanceOf[msg.sender] -= _value;</span><br><span class="line">    balanceOf[_to] += _value;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>我们在做整数运算的时候要时刻注意上溢，下溢检查，尤其对于较小数字的类型比如uint8、uint16、uint24更加要小心：它们更加容易达到最大值，最小值。</p>
<h2 id="SMT合约中的整数安全问题简析"><a href="#SMT合约中的整数安全问题简析" class="headerlink" title="SMT合约中的整数安全问题简析"></a>SMT合约中的整数安全问题简析</h2><p>SMT的合约地址是：0x55F93985431Fc9304077687a35A1BA103dC1e081，合约代码可以访问etherscan的如下网址进行查看</p>
<p><a href="hhttps://etherscan.io/address/0x55f93985431fc9304077687a35a1ba103dc1e081#code">https://etherscan.io/address/0x55f93985431fc9304077687a35a1ba103dc1e081#code</a></p>
<p>SMT合约有问题的代码存在于transferProxy()函数，代码如下：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">transferProxy</span>(<span class="params">address _from, address _to, uint256 _value, uint256 _feeSmt,</span></span></span><br><span class="line"><span class="function"><span class="params">        uint8 _v,bytes32 _r, bytes32 _s</span>) <span class="title">public</span> <span class="title">transferAllowed</span>(<span class="params">_from</span>) <span class="title">returns</span> (<span class="params">bool</span>)</span>&#123;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(balances[_from] &lt; _feeSmt + _value) revert();</span><br><span class="line"></span><br><span class="line">        uint256 nonce = nonces[_from];</span><br><span class="line">        bytes32 h = keccak256(_from,_to,_value,_feeSmt,nonce);</span><br><span class="line">        <span class="keyword">if</span>(_from != ecrecover(h,_v,_r,_s)) revert();</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(balances[_to] + _value &lt; balances[_to]</span><br><span class="line">            || balances[msg.sender] + _feeSmt &lt; balances[msg.sender]) revert();</span><br><span class="line">        balances[_to] += _value;</span><br><span class="line">        Transfer(_from, _to, _value);</span><br><span class="line"></span><br><span class="line">        balances[msg.sender] += _feeSmt;</span><br><span class="line">        Transfer(_from, msg.sender, _feeSmt);</span><br><span class="line"></span><br><span class="line">        balances[_from] -= _value + _feeSmt;</span><br><span class="line">        nonces[_from] = nonce + <span class="number">1</span>;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>
<h3 id="其中的问题分析如下"><a href="#其中的问题分析如下" class="headerlink" title="其中的问题分析如下"></a>其中的问题分析如下</h3><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">transferProxy</span>(<span class="params">address _from, address _to, uint256 _value, uint256 _feeSmt,</span></span></span><br><span class="line"><span class="function"><span class="params">        uint8 _v,bytes32 _r, bytes32 _s</span>) <span class="title">public</span> <span class="title">transferAllowed</span>(<span class="params">_from</span>) <span class="title">returns</span> (<span class="params">bool</span>)</span>&#123;</span><br><span class="line"></span><br><span class="line">    <span class="comment">//错误1：这里没有做整数上溢出检查</span></span><br><span class="line">    <span class="comment">//_feeSmt,value都是由外部传入的参数，通过我们之前的理论这里可能会出现整数上溢出的情况</span></span><br><span class="line">    <span class="comment">// 例如：_feeSmt = 8fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ,</span></span><br><span class="line">    <span class="comment">// value = 7000000000000000000000000000000000000000000000000000000000000001</span></span><br><span class="line">    <span class="comment">//  _feeSmt和value均是uint256无符号整数，相加后最高位舍掉，结果为0。</span></span><br><span class="line">    <span class="comment">// 那么_feeSmt + _value = 0 直接溢出，绕过代码检查，导致可以构造巨大数量的smt代币并进行转账</span></span><br><span class="line">        <span class="keyword">if</span>(balances[_from] &lt; _feeSmt + _value) revert();</span><br><span class="line"></span><br><span class="line">        uint256 nonce = nonces[_from];</span><br><span class="line">        bytes32 h = keccak256(_from,_to,_value,_feeSmt,nonce);</span><br><span class="line">        <span class="keyword">if</span>(_from != ecrecover(h,_v,_r,_s)) revert();</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(balances[_to] + _value &lt; balances[_to]</span><br><span class="line">            || balances[msg.sender] + _feeSmt &lt; balances[msg.sender]) revert();</span><br><span class="line">        balances[_to] += _value;</span><br><span class="line">        Transfer(_from, _to, _value);</span><br><span class="line"></span><br><span class="line">        balances[msg.sender] += _feeSmt;</span><br><span class="line">        Transfer(_from, msg.sender, _feeSmt);</span><br><span class="line"></span><br><span class="line">        balances[_from] -= _value + _feeSmt;</span><br><span class="line">        nonces[_from] = nonce + <span class="number">1</span>;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>
<h3 id="作者修改后的代码如下"><a href="#作者修改后的代码如下" class="headerlink" title="作者修改后的代码如下"></a>作者修改后的代码如下</h3><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">transferProxy</span>(<span class="params">address _from, address _to, uint256 _value, uint256 _feeSmt,</span></span></span><br><span class="line"><span class="function"><span class="params">        uint8 _v,bytes32 _r, bytes32 _s</span>) <span class="title">public</span> <span class="title">transferAllowed</span>(<span class="params">_from</span>) <span class="title">returns</span> (<span class="params">bool</span>)</span>&#123;</span><br><span class="line"></span><br><span class="line">    <span class="comment">//错误1：这里没有做整数上溢出检查</span></span><br><span class="line">    <span class="comment">//_feeSmt,value都是由外部传入的参数，通过我们之前的理论这里可能会出现整数上溢出的情况</span></span><br><span class="line">    <span class="comment">// 例如：_feeSmt = 8fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ,</span></span><br><span class="line">    <span class="comment">// value = 7000000000000000000000000000000000000000000000000000000000000001</span></span><br><span class="line">    <span class="comment">//  _feeSmt和value均是uint256无符号整数，相加后最高位舍掉，结果为0。</span></span><br><span class="line">    <span class="comment">// 那么_feeSmt + _value = 0 直接溢出，绕过代码检查，导致可以构造巨大数量的smt代币并进行转账</span></span><br><span class="line"></span><br><span class="line">        <span class="comment">// 在这里做整数上溢出检查</span></span><br><span class="line">        <span class="keyword">if</span>(balances[_to] + _value &lt; balances[_to]</span><br><span class="line">            || balances[msg.sender] + _feeSmt &lt; balances[msg.sender]) revert();</span><br><span class="line"></span><br><span class="line">        <span class="comment">// 在这里做整数上溢出检查 ,防止交易费用 过大</span></span><br><span class="line">        <span class="keyword">if</span>(_feeSmt + _value &lt; _value ) revert();</span><br><span class="line"></span><br><span class="line">        <span class="comment">// 在这里做整数上溢出检查 ,防止交易费用 过大</span></span><br><span class="line">        <span class="keyword">if</span>(balances[_from] &lt; _feeSmt + _value) revert();</span><br><span class="line"></span><br><span class="line">        uint256 nonce = nonces[_from];</span><br><span class="line">        bytes32 h = keccak256(_from,_to,_value,_feeSmt,nonce);</span><br><span class="line">        <span class="keyword">if</span>(_from != ecrecover(h,_v,_r,_s)) revert();</span><br><span class="line"></span><br><span class="line">        <span class="comment">// 条件检查尽量 在开头做</span></span><br><span class="line">        <span class="comment">// if(balances[_to] + _value &lt; balances[_to]</span></span><br><span class="line">        <span class="comment">//     || balances[msg.sender] + _feeSmt &lt; balances[msg.sender]) revert();</span></span><br><span class="line">        balances[_to] += _value;</span><br><span class="line">        Transfer(_from, _to, _value);</span><br><span class="line"></span><br><span class="line">        balances[msg.sender] += _feeSmt;</span><br><span class="line">        Transfer(_from, msg.sender, _feeSmt);</span><br><span class="line"></span><br><span class="line">        balances[_from] -= _value + _feeSmt;</span><br><span class="line">        nonces[_from] = nonce + <span class="number">1</span>;</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>
<h3 id="攻击者发送的交易"><a href="#攻击者发送的交易" class="headerlink" title="攻击者发送的交易"></a>攻击者发送的交易</h3><p>以下是攻击者恶意发送的转账交易地地址：<a target="_blank" rel="noopener" href="https://etherscan.io/tx/0x1abab4c8db9a30e703114528e31dee129a3a758f7f8abc3b6494aad3d304e43f">https://etherscan.io/tx/0x1abab4c8db9a30e703114528e31dee129a3a758f7f8abc3b6494aad3d304e43f</a></p>
<p><img src="/assets/2018-05-01/pic1.jpg" alt="img">黑客攻击截图</p>
<h2 id="BEC合约中的整数安全问题简析"><a href="#BEC合约中的整数安全问题简析" class="headerlink" title="BEC合约中的整数安全问题简析"></a>BEC合约中的整数安全问题简析</h2><p>BEC的合约地址是0xC5d105E63711398aF9bbff092d4B6769C82F793D，合约代码可以访问etherscan的如下网址进行查看<a target="_blank" rel="noopener" href="https://etherscan.io/address/0xc5d105e63711398af9bbff092d4b6769c82f793d#code">https://etherscan.io/address/0xc5d105e63711398af9bbff092d4b6769c82f793d#code</a></p>
<p>BEC合约有问题的代码存在于batchTransfer()函数，代码如下：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">batchTransfer</span>(<span class="params">address[] _receivers, uint256 _value</span>) <span class="title">public</span> <span class="title">whenNotPaused</span> <span class="title">returns</span> (<span class="params">bool</span>) </span>&#123;</span><br><span class="line">    uint cnt = _receivers.length;</span><br><span class="line">    uint256 amount = uint256(cnt) * _value;</span><br><span class="line">    <span class="built_in">require</span>(cnt &gt; <span class="number">0</span> &amp;&amp; cnt &lt;= <span class="number">20</span>);</span><br><span class="line">    <span class="built_in">require</span>(_value &gt; <span class="number">0</span> &amp;&amp; balances[msg.sender] &gt;= amount);</span><br><span class="line"></span><br><span class="line">    balances[msg.sender] = balances[msg.sender].sub(amount);</span><br><span class="line">    <span class="keyword">for</span> (uint i = <span class="number">0</span>; i &lt; cnt; i++) &#123;</span><br><span class="line">        balances[_receivers[i]] = balances[_receivers[i]].add(_value);</span><br><span class="line">        Transfer(msg.sender, _receivers[i], _value);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<h3 id="其中问题代码分析如下"><a href="#其中问题代码分析如下" class="headerlink" title="其中问题代码分析如下"></a>其中问题代码分析如下</h3><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">batchTransfer</span>(<span class="params">address[] _receivers, uint256 _value</span>) <span class="title">public</span> <span class="title">whenNotPaused</span> <span class="title">returns</span> (<span class="params">bool</span>) </span>&#123;</span><br><span class="line">    uint cnt = _receivers.length;</span><br><span class="line">    <span class="comment">// 这里直接使用乘法运算符，可能会导致溢出</span></span><br><span class="line">    <span class="comment">// 变量cnt为转账的地址数量，可以通过外界的用户输入_receivers进行控制，_value为单地址转账数额，也可以直接进行控制。</span></span><br><span class="line">    <span class="comment">// 外界可以通过调整_receivers和_value的数值，产生乘法运算溢出，得出非预期amount数值，amount溢出后可以为一个很小的数字或者0，</span></span><br><span class="line">    uint256 amount = uint256(cnt) * _value;</span><br><span class="line">    <span class="built_in">require</span>(cnt &gt; <span class="number">0</span> &amp;&amp; cnt &lt;= <span class="number">20</span>);</span><br><span class="line">    <span class="comment">// 这里判断当前用户拥有的代币余额是否大于或等于要转移的amount数量</span></span><br><span class="line">    <span class="comment">// 由于之前恶意用户通过调大单地址转账数额_value的数值，使amount溢出后可以为一个很小的数字或者0，</span></span><br><span class="line">    <span class="comment">// 所以很容易绕过balances[msg.sender] &gt;= amount的检查代码。从而产生巨大_value数额的恶意转账。</span></span><br><span class="line">    <span class="built_in">require</span>(_value &gt; <span class="number">0</span> &amp;&amp; balances[msg.sender] &gt;= amount);</span><br><span class="line"></span><br><span class="line">    <span class="comment">//调用Safemath库中的安全函数来完成加减操作</span></span><br><span class="line">    balances[msg.sender] = balances[msg.sender].sub(amount);</span><br><span class="line">    <span class="keyword">for</span> (uint i = <span class="number">0</span>; i &lt; cnt; i++) &#123;</span><br><span class="line">        balances[_receivers[i]] = balances[_receivers[i]].add(_value);</span><br><span class="line">        Transfer(msg.sender, _receivers[i], _value);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<h3 id="攻击者发送的交易-1"><a href="#攻击者发送的交易-1" class="headerlink" title="攻击者发送的交易"></a>攻击者发送的交易</h3><p>以下是攻击者恶意发送的转账交易：</p>
<p><a target="_blank" rel="noopener" href="https://etherscan.io/tx/0xad89ff16fd1ebe3a0a7cf4ed282302c06626c1af33221ebe0d3a470aba4a660f">https://etherscan.io/tx/0xad89ff16fd1ebe3a0a7cf4ed282302c06626c1af33221ebe0d3a470aba4a660f</a></p>
<p><img src="/assets/2018-05-01/pic2.jpg" alt="img">黑客攻击截图</p>
<h2 id="合约整数漏洞事件总结"><a href="#合约整数漏洞事件总结" class="headerlink" title="合约整数漏洞事件总结"></a>合约整数漏洞事件总结</h2><p>从上面的分析中，大家可以看出针对SMT和BEC的合约恶意攻击都是通过恶意的整数溢出来绕过条件检查。目前以太坊上运行着上千种合约，这上千种合约中可能也存在类似的安全隐患，所以作为合约的开发人员需要投入更多的精力来确保合约的安全性。</p>
<p>下篇我们将详细的介绍如何正确保合约的安全，敬请期待。</p>

    </div>

    
    
    
      
  <div class="popular-posts-header">相关文章推荐</div>
  <ul class="popular-posts">
    <li class="popular-posts-item">
      <div class="popular-posts-title"><a href="/posts/c052872a.html" rel="bookmark">理解以太坊中智能合约中的存储</a></div>
    </li>
    <li class="popular-posts-item">
      <div class="popular-posts-title"><a href="/posts/3e17fcd9.html" rel="bookmark">科普：什么是以太坊</a></div>
    </li>
    <li class="popular-posts-item">
      <div class="popular-posts-title"><a href="/posts/318c223a.html" rel="bookmark">zkRollup介绍 原理篇 </a></div>
    </li>
    <li class="popular-posts-item">
      <div class="popular-posts-title"><a href="/posts/58cf1c1b.html" rel="bookmark">零知识证明介绍 </a></div>
    </li>
    <li class="popular-posts-item">
      <div class="popular-posts-title"><a href="/posts/2e1e9deb.html" rel="bookmark">精通 Uniswap</a></div>
    </li>
  </ul>


    <footer class="post-footer">
          

<div class="post-copyright">
<ul>
  <li class="post-copyright-author">
      <strong>原作者： </strong>吴寿鹤
  </li>
  <li class="post-copyright-link">
      <strong>本文链接：</strong>
      <a href="https://www.whatsblockchain.com/posts/7664e5f1.html" title="暂停交易？ERC20合约整数溢出安全漏洞案例技术分析（一）">https://www.whatsblockchain.com/posts/7664e5f1.html</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" rel="noopener" target="_blank"><i class="fab fa-fw fa-creative-commons"></i>BY-NC-SA</a> 许可协议。转载请注明出处！
  </li>
</ul>
</div>

          <div class="post-tags">
              <a href="/tags/%E6%99%BA%E8%83%BD%E5%90%88%E7%BA%A6/" rel="tag"># 智能合约</a>
              <a href="/tags/%E4%BB%A5%E5%A4%AA%E5%9D%8A/" rel="tag"># 以太坊</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/posts/a7b53d58.html" rel="prev" title="【分布式共识四】POW共识算法">
                  <i class="fa fa-chevron-left"></i> 【分布式共识四】POW共识算法
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/posts/126665fc.html" rel="next" title="IPOS共识算法设计">
                  IPOS共识算法设计 <i class="fa fa-chevron-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
  
  
  



      

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      const activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      const commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

    </div>
  </main>

  <footer class="footer">
    <div class="footer-inner">
      

      

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">吴寿鹤</span>
</div>
<div class="wordcount">
  <span class="post-meta-item">
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-line"></i>
    </span>
      <span>站点总字数：</span>
    <span title="站点总字数">87k</span>
  </span>
  <span class="post-meta-item">
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
      <span>站点阅读时长 &asymp;</span>
    <span title="站点阅读时长">1:19</span>
  </span>
</div>
<div class="busuanzi-count">
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="总访客量">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="总访问量">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <script src="//cdn.jsdelivr.net/npm/animejs@3.2.0/lib/anime.min.js"></script>
<script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/next-boot.js"></script>

  
  <script>
    (function(){
      var bp = document.createElement('script');
      var curProtocol = window.location.protocol.split(':')[0];
      bp.src = (curProtocol === 'https') ? 'https://zz.bdstatic.com/linksubmit/push.js' : 'http://push.zhanzhang.baidu.com/push.js';
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(bp, s);
    })();
  </script>


















  
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>








  

  
      <script>
  if (typeof MathJax === 'undefined') {
    window.MathJax = {
      tex: {
        inlineMath: {'[+]': [['$', '$']]},
        tags: 'ams'
      },
      options: {
        renderActions: {
          findScript: [10, doc => {
            document.querySelectorAll('script[type^="math/tex"]').forEach(node => {
              const display = !!node.type.match(/; *mode=display/);
              const math = new doc.options.MathItem(node.textContent, doc.inputJax[0], display);
              const text = document.createTextNode('');
              node.parentNode.replaceChild(text, node);
              math.start = {node: text, delim: '', n: 0};
              math.end = {node: text, delim: '', n: 0};
              doc.math.push(math);
            });
          }, '', false],
          insertedScript: [200, () => {
            document.querySelectorAll('mjx-container').forEach(node => {
              const target = node.parentNode;
              if (target.nodeName.toLowerCase() === 'li') {
                target.parentNode.classList.add('has-jax');
              }
            });
          }, '', false]
        }
      }
    };
    const script = document.createElement('script');
    script.src = '//cdn.jsdelivr.net/npm/mathjax@3.1.0/es5/tex-mml-chtml.js';
    script.defer = true;
    document.head.appendChild(script);
  } else {
    MathJax.startup.document.state(0);
    MathJax.typesetClear();
    MathJax.texReset();
    MathJax.typeset();
  }
</script>

    

  

</body>
</html>
